AWS Lambda Functions without Logs
AWS Lambda is a compute service offered by AWS. As a compute runtime, all aspects of computation and process management are handled by the AWS Lambda service. This means that environment variables, the runtime environment, input, and output - including standard error and standard output - must be configured as part of the Lambda function’s configuration. Standard output and standard error are sent to AWS CloudWatch Logs, which collects the output from a function’s execution for later review.
If an AWS CloudWatch log group is not configured to collect logs from your Lambda function, the execution output including both standard output and standard error, will not be captured. This means there will be no logs from your code’s execution. Standard output and standard error are critical for auditing, error handling, maintenance and investigations when issues arise. Without logs, there is significantly less information available to debug and investigate problems that occur during normal operations.
To resolve firstly identify any AWS Lambda functions that do not have a configured Cloudwatch Log group associated with the function. This can be found under the Logging Configuration for the function under the setting CloudWatch log group. By default AWS Lambda should create a log group for this function when it’s first invoked. However, should the IAM Role assigned to the function not have permission to create a log group then the log group will not exist.
For an existing function that doesn’t have a Log Group it’s best to create the Log Group separately and to configure the functions to log to the new Log Group. It’s also important to ensure that the IAM Role configured for the function has permissions to log to the new Log Group. This can be done by the below policy which is also available under the AWS managed policy arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
The above policy can be hardened to allow logging only to the new Log Group, however, this level of control can be heightened to further restrict the permissions for the function. If you have specific security policies that your functions need to adhere to then we offer architectural support to help convert or determine your policies and translate them into quantified policies:
SkySiege Cloud Security Assessments scan for this issue and provide same-day reports..
Available for individual projects or organisations.